Mastodawn

Honeypot Thought: Why I Deploy "Student Blogs"

Quick question for my threat intel peeps:

When attackers compromise infrastructure, are they always going after your crown jewels, or are they looking for something else entirely?

Hint: A medical student's personal blog - hosted on cheap VPS because university IT policies are restrictive - might be more valuable to an attacker than you think. 😉

Not because of what's ON it, but because of what they can DO with it!!

Cheap hosting. College/University nearby. SSH & FTP access because that's how the student "updates" their site. Perfect pivot point. 🦩

More on this coming SOON!

But if you're only thinking about honeypots as "fake business infrastructure," you're missing a huge piece of the attacker playbook!!

@sashatheflamingo #cybersecurity #infosec #ThreatIntel #honeypot

RDP Snitch 12h ago

2026-03-09 RDP #Honeypot IOCs - 159 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.30.243 - 45
80.94.95.221 - 18
111.170.152.113 - 15

Top ASNs:
AS14061 - 45
AS396982 - 36
AS204428 - 18

Top Accounts:
hello - 63
Administr - 30
Test - 24

Top ISPs:
DigitalOcean, LLC - 45
Google LLC - 36
SS-Net - 18

Top Clients:
Unknown - 159

Top Software:
Unknown - 159

Top Keyboards:
Unknown - 159

Top IP Classification:
hosting - 87
Unknown - 66
mobile - 3

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 12h ago

2026-03-09 RDP #Honeypot IOCs - 106 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.30.243 - 30
80.94.95.221 - 12
111.170.152.113 - 10

Top ASNs:
AS14061 - 30
AS396982 - 24
AS204428 - 12

Top Accounts:
hello - 42
Administr - 20
Test - 16

Top ISPs:
DigitalOcean, LLC - 30
Google LLC - 24
SS-Net - 12

Top Clients:
Unknown - 106

Top Software:
Unknown - 106

Top Keyboards:
Unknown - 106

Top IP Classification:
hosting - 58
Unknown - 44
mobile - 2

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 12h ago

2026-03-09 RDP #Honeypot IOCs - 53 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.30.243 - 15
80.94.95.221 - 6
111.170.152.113 - 5

Top ASNs:
AS14061 - 15
AS396982 - 12
AS204428 - 6

Top Accounts:
hello - 21
Administr - 10
Test - 8

Top ISPs:
DigitalOcean, LLC - 15
Google LLC - 12
SS-Net - 6

Top Clients:
Unknown - 53

Top Software:
Unknown - 53

Top Keyboards:
Unknown - 53

Top IP Classification:
hosting - 29
Unknown - 22
mobile - 1

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

Show thread

Kevin Karhan

18h ago

@benroyce @FQQD I know the details:

@signalapp are criminally incompetent like #EncroChat at best if not a #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield...

#Signal #Govware #incompetence #PII #PhoneNumbers #ToldYaSo

Kevin Karhan :verified: (@kkarhan@infosec.space)

@signalapp@mastodon.world THERE IS *NO LEGITIMATE REASON* FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. *"#KYC"*)… - so yes I [do blame Signal](https://infosec.space/@kkarhan/116200585213177913) because this attack vector is unique to #Signal's shittyness and would not exist with @monocles@monocles.social / #monoclesChat or even [`cock.li`](https://cock.li) of all places…

Infosec.Space

ʇɐʞlᴉʌƎ 🇺🇦🌈 is rnbwkat 19h ago

Honeypot Deployment Pro Tip: Let Them Think They're Winning

Want to know a dirty little secret about honeypot deployment that I've been using for years?

When you spin up a new production server with SSH access, don't immediately lock it down behind a non-standard port. Let it sit on port 22 running your actual SSH daemon for the first 4-6 weeks.

Let the attackers find it. Let them probe it. Let them catalog it in their target lists as "real infrastructure worth attacking."

Then, after they've committed you to memory:

Move your real SSH to a non-standard port. Deploy OpenCanary SSH on port 22 configured to match the EXACT version banner of whatever you were running before.

Now here's the magic: The attackers think they're still hitting the same production system. But you're collecting every username and password combination they try. They don't know they've been demoted from "attacking production" to "feeding your threat intelligence."

It's totally deceptive. They invested weeks cataloging your server. They're not going to just give up because you didn't respond the way they expected.

I've been running this technique for years across my global honeypot network. Works every single time.

Remember to match the SSH version banner exactly - down to the patch level. OpenSSH 8.2p1 vs 8.2p2 matters to some scanners. Make it identical.

This is how you turn production infrastructure into long-term intelligence gathering without anyone noticing the transition.

You're welcome. 🦩
@sashatheflamingo #cybersecurity #infosec #honeypot #deceptiontech

Sweet Home Alaberta 🇨🇦 🇺🇦 🏳️‍🌈 🏳️‍⚧️ 🇲🇽22h ago

Hanging out with the epstein class

#TrumpEpstein #Espionage #Honeypot

SecuriLee🇨🇭1d ago

Expanding the trap: MongoDB support is coming to @ThinkstCanary OpenCanary! 🛡️
I’ve always been a fan of Thinkst OpenCanary for its simplicity and effectiveness. However, I noticed a gap: as MongoDB remains one of the most targeted NoSQL databases by attackers (especially with the recent CVE)), we needed a dedicated module to catch those specific "low and slow" probes.

I’m excited to share that I’ve officially submitted a Pull Request to add a MongoDB honeypot module to the OpenCanary ecosystem!

What this means:
• Realistic Decoys: Mimics a MongoDB instance to lure in attackers looking for data leaks.
• Granular Logging: Captures connection attempts and query patterns.
• Better Coverage: Extends your internal deception mesh to cover NoSQL environments.

Check out the PR here: https://github.com/thinkst/opencanary/pull/444
Huge thanks to the Thinkst team for maintaining such a vital open-source project. Feedback and testers are welcome!

#OpenSource #CyberSecurity #OpenCanary #Honeypot #MongoDB #InfoSec

RDP Snitch 1d ago

2026-03-08 RDP #Honeypot IOCs - 207 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
80.94.95.221 - 93
194.165.16.165 - 12
66.175.211.81 - 12

Top ASNs:
AS204428 - 93
AS396982 - 36
AS48721 - 12

Top Accounts:
Administr - 99
Domain - 27
Test - 18

Top ISPs:
SS-Net - 93
Google LLC - 36
Flyservers S.A. - 12

Top Clients:
Unknown - 207

Top Software:
Unknown - 207

Top Keyboards:
Unknown - 207

Top IP Classification:
Unknown - 138
hosting - 60
proxy - 9

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 1d ago

2026-03-08 RDP #Honeypot IOCs - 138 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
80.94.95.221 - 62
194.165.16.165 - 8
66.175.211.81 - 8

Top ASNs:
AS204428 - 62
AS396982 - 24
AS48721 - 8

Top Accounts:
Administr - 66
Domain - 18
Test - 12

Top ISPs:
SS-Net - 62
Google LLC - 24
Flyservers S.A. - 8

Top Clients:
Unknown - 138

Top Software:
Unknown - 138

Top Keyboards:
Unknown - 138

Top IP Classification:
Unknown - 92
hosting - 40
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security